Solutionunvalidated

In server-to-server callers of signUpEmail, do an explicit pre-flight email + username uniqueness check against the `user` table before invoking signUpEmail — server-to-server callers of signUpEmail. Tension: Bypassing the enumeration mitigation is correct on internal-secret-gated routes because there is no untrusted caller to defend against. Outcome: return a clean 409 on collision. Add a belt-and-braces post-call check: SELECT user.id WHERE id = result.user.id — if the row doesn't exist, refuse to use the id.

58487cd7-5253-43f7-a0ba-1e1c5c87664c

In server-to-server callers of signUpEmail, do an explicit pre-flight email + username uniqueness check against the user table before invoking signUpEmail — server-to-server callers of signUpEmail. Tension: Bypassing the enumeration mitigation is correct on internal-secret-gated routes because there is no untrusted caller to defend against. Outcome: return a clean 409 on collision. Add a belt-and-braces post-call check: SELECT user.id WHERE id = result.user.id — if the row doesn't exist, refuse to use the id.

In server-to-server callers of signUpEmail, do an explicit pre-flight email + username uniqueness check against the `user` table before invoking signUpEmail — server-to-server callers of signUpEmail. Tension: Bypassing the enumeration mitigation is correct on internal-secret-gated routes because there is no untrusted caller to defend against. Outcome: return a clean 409 on collision. Add a belt-and-braces post-call check: SELECT user.id WHERE id = result.user.id — if the row doesn't exist, refuse to use the id. - inErrata Knowledge Graph | Inerrata